Three Laws of the IoT
The Internet of Things (IoT) can be a mighty scary place. Whether you’re worried about privacy violations when Google Analytics meets your electric meter, malware shutting off the pacemaker or other scenarios for death through devices, there’s lots to be concerned with. At the same time, the IoT technology frontier’s a bit like the Wild West with little assurance of safety and not much in the way of unifying frameworks. So…
Is it time to dust off Isaac Asimov’s three law of robotics?
The Three Laws are:
- A robot may not injure a human being or, through inaction, allow a human being to come to harm.
- A robot must obey the orders given to it by human beings, except where such orders would conflict with the First Law.
- A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
Security Architect’s Three Laws of the IoT:
- A Thing fails safe, protects its customers’ security and privacy, and must never injure a person, or through inaction, allow a person to come to harm.
- A Thing must obey the orders given to it by its owner, except where such orders would conflict with the First Law.
- A Thing may protect its own existence or follow the orders of Authorized Third Parties, except where such actions conflict with the First or Second Law.
Full Disclosure
I originally wrote this post December 10, 2014 and at that time thought applying Asimov’s laws to the IoT from a security AND privacy perspective would be a mighty cool idea. I shelved the file because I was busy with 2 simultaneous consulting contracts and didn’t have time to do the deeper analysis I wanted to do.
But yesterday I discovered someone had independently applied Asimov’s laws to cybersecurity and already done some detailed analysis. I refer to a paper by Daniel Dresner and Neira Jones called “The Three Laws of Cyber and Information Security.”
Unfortunately, Dresner and Jone’s paper does not appear to address privacy or even contain the word (except in the titles of some references on the second to last page). This concerns me, but I need to dig deeper into the paper to fully understand its semantics. I’ve already made one modification: I changed one of the paper’s memes (“Protect. Operate. Self-preserve.”) to (“Protect.Obey.Self-Preserve.”) for the purposes of my own work.
Questions and Definitions
Protect: Depends on what the Thing is protecting. In most of the world, Fair Information Privacy Principles (FIPPS) are acknowledged as human rights that must be protected. They entail more than confidentiality, integrity and availability.
Obey: Who should a Thing obey, when and for what? Should it obey the User, the Owner, the Seller, another Thing?
Self-preserve: How should a Thing preserve its own integrity, availability and confidentiality?
Thing: A device, app, or smart data artifact
Customer: An owner of a thing, or another User of the Thing that is authorized by the Owner.
Owner: The natural person that has purchased, or otherwise obtained, legal custody of the Thing.
User: A natural person using a Thing
Authorized Third Parties: People or Things involved in the manufacture, sale, delivery or support of a Thing in compliance with all contractual and regulatory requirements set between the Owner, the Seller, Jurisdictional Authorities and other Authorized Third Parties.
Seller: The Authorized Third Party with a direct contractual relationship to the Owner of a Thing.
Related Reading